Before we get started with the updates for Red Hat Enterprise Linux 7.8, we recommend taking a serious look at moving to Red Hat Enterprise Linux 8. RHEL 7 is now in Maintenance Support and will no longer receive newer versions of container tools. Users who need access to the latest versions of Podman, Buildah and Skopeo, should move to RHEL 8 where the container-tools module is updated once a quarter. For those of you required to use containers on RHEL 7, this post will provide you a strategic and technical update.
Red Hat understands that many customers cannot upgrade immediately. So, similar to our update of container tools in RHEL 7.7, we have released one final update to the container tools provided in RHEL 7.8. Here’s a quick summary:
-
Rootless containers are now Generally Available and fully supported in RHEL Server and RHEL Workstation (release notes)
-
Major updates to container tools: Podman 1.6.4, Buildah 1.11.6 and Skopeo 0.1.41 (release notes)
-
Updated container images (release notes)
Rootless Containers Generally Available (GA)
Users of RHEL 7.8 can now use Podman 1.6.4 to find, run, build and share containers as regular users (also called rootless). This builds on the work we did in RHEL 7.7 (Three New Container Capabilities in Red Hat Enterprise Linux 7.7) as well as RHEL 7.6 (A preview of running containers without root in RHEL 7.6).
The new rootless feature can be used with a fresh installation of RHEL 7.8 or by upgrading from RHEL 7.7. When doing a fresh install, just add a new user ID and the new version of the shadow-utils package will take care of everything (/etc/subuid
and /etc/subgid
entries). With an upgrade from RHEL 7.6 or older, you will need to add the UID/GID mappings for existing users. For more detailed information, follow the Managing Containers guide in the RHEL 7 documentation.
This GA version of rootless containers in RHEL 7.8 uses fuse-overlay by default. With fuse-overlay container images are mounted more quickly, resulting in faster startup times for running containers. Overlay is also the most tested graph driver upstream and offers users the all around best experience.
While the tech preview of rootless containers RHEL 7.7 used the VFS driver (no fuse-overlay support). This had the trade-off using a lot more disk space for slightly better runtime performance. While the VFS driver is still available for users in RHEL 7.8, Red Hat strongly recommends using fuse-overlay with bind mounts (instead of VFS) for any data requiring native throughput performance.
The containers team wants to thank the kernel and file system teams for their work back porting this into the RHEL 3.10 kernel, enabling customers who can’t move from RHEL 7 just yet.
Updates to Container Tools
Also with RHEL 7.8, we are excited to announce a final major update to the container tools provided in the Extras channel. This includes stable versions of Podman 1.6.4, Buildah 1.11.6, and Skopeo 0.1.40. These versions were specifically chosen to be in line with the versions released in RHEL 8.2, making it easier to move to RHEL 8.
Here’s a short list of some interesting new features:
-
Initial support for the CNI DNS plugin, which allows containers to resolve the IPs of other containers via DNS name, has been added.
-
Podman now supports anonymous named volumes, created by specifying only a destination to the
-v
flag to thepodman create
andpodman run
commands. -
The
podman info
command, when run without root, now shows information on UID and GID mappings in the rootless user namespace. -
Added
podman build --squash-all
flag, which squashes all layers (including those of the base image) into one layer. -
The
podman network create
,podman network rm
,podman network inspect
, andpodman network ls
commands have been added to manage CNI networks used by Podman. -
The
podman volume create
command can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems. -
Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmap and newgidmap executables) by passing
--storage-opt ignore_chown_errors.
-
Rootless Podman containers with
--privileged
set will now mount in all host devices that the user can access. -
Rootless Podman now supports health checks (#3523).
For a deeper dive, please see the man pages, product documentation, and release notes.
An Eye Towards RHEL 8
Users thinking about moving to RHEL 8, should think through two major areas - container tools and container images.
Container Tools
This is planned to be the final release of RHEL 7 with major new features in the container tools software stack. This means Podman will not be updated beyond 1.6.4, Buildah will not be updated beyond 1.11.6, and Skopeo will not be updated beyond 0.1.41. These versions were specifically chosen for stability because they are to be supported until the end of life for RHEL 7.
They were also chosen to be the same versions as RHEL 8.2. This makes it easier for users to move to RHEL 8 with confidence. For more information on tools available versions and support options, please see the Container Tools AppStream - Content Availability page.
Users who rely on the docker or atomic command in RHEL 7 should look to migrate their applications to Podman, Buildah and Skopeo in RHEL 8. Neither command (docker and atomic) are included nor supported in RHEL 8. The versions of the docker and atomic commands in RHEL 7 will continue to receive security updates, but will not be refreshed beyond docker 1.13 and atomic 1.22.1. For more information on moving to Podman, Buildah and Skope in RHEL 8, please see our guide: Building, running, and managing containers.
Container Images
If you are still using applications based on RHEL / UBI 7, or even RHEL 6, container images, it’s important to remember that most workloads can be migrated to RHEL 8 simply by running them on a RHEL 8 container host.
The general guidance is:
-
If you are using an unprivileged container (doesn’t need the
--privileged
flag), it will likely run fine on a newer container host. -
Older applications on older container images almost always work on newer container hosts.
-
Newer container images running on older container hosts may try to use APIs which don’t exist on older hosts. This is compounded if running privileged and accessing APIs outside of the syscall layer.
For a deeper dive with some examples of what will and won’t work, please see Container Compatibility guide.
For future releases of container tools, stay tuned to RHEL 8 where our future development will happen.
关于作者
At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.
McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.
产品
工具
试用购买与出售
沟通
关于红帽
我们是世界领先的企业开源解决方案供应商,提供包括 Linux、云、容器和 Kubernetes。我们致力于提供经过安全强化的解决方案,从核心数据中心到网络边缘,让企业能够更轻松地跨平台和环境运营。